Create a file called /etc/rsyslog.d/55-armor.conf with the template below.

Replacetarget-name:port with the name of the configured endpoint and port.

#########################
#RsyslogGnuTLS
global(
# certificate files
defaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca.d/logs.armor.com.pem"
)
template(
name="RFC3164Template"
type="string"
string="<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)
# make gtls driver the default
$DefaultNetstreamDriver gtls
# do not validate peer
# if set to anon then $ActionSendStreamDriverPermittedPeer must not be set
#$ActionSendStreamDriverAuthMode anon
# run driver in TLS-only mode
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.logs.armor.com
### Send auth or authpriv messages to Armor
# https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/t_DSM_guide_Linux_OS_syslog.html
## if ( $syslogfacility-text == "auth" or $syslogfacility-text == "authpriv" ) then {
## & stop
## }
###
### Send httpd messages to Armor
if ( $programname startswith "httpd" ) then {
$ActionQueueType LinkedList
# unique name prefix for spool files
$ActionQueueFileName q_sendHttpdToArmor
# infinite retries if host is down
$ActionResumeRetryCount -1
# 1gb disk queue
$ActionQueueMaxDiskSpace 1g
# save messages to disk on shutdown
$ActionQueueSaveOnShutdown on
# queue.workerThreads may not be raised above 1
# Specifies the maximum number of worker threads that can be run parallel.
$ActionQueueWorkerThreads 1
# queue.dequeueSlowDown limited to 100 messages per second
# Regulates how long dequeueing should be delayed. This value must be specified in microseconds (1000000us is 1sec). It can be used to slow down rsyslog so it won't send
# things to fast. For example if this parameter is set to 10000 on a UDP send action, the action won't be able to put out more than 100 messages per second.
$ActionQueueDequeueSlowDown 10000
# queue.discardSeverity default 8
# As soon as the threshold of the parameter queue.discardMark is reached incoming aswell as queued messages with a priority equal or lower than specified will be erased.
# With the default no messages will be erased. You have to specify a numeric severity value for this parameter.
$ActionQueueDiscardSeverity 6
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @@target-name:port;RFC3164Template
# ### end of the forwarding rule ###
& stop
}
#########################